Posted by: David Harley | April 29, 2016

Some Android malware research links

IBM Security Intelligence offers an interesting summary of the Android malware scene – Mobile Malware Competition Rises in Underground Markets, by Limor Kessem.

For The Register, Darren Pauli comments – Screen overlay malware on the rise as bot scum battle for dominance: Tanking PC trojans turn VXers to Android – and also links to a FireEye article by Wu Zhou, Junyuan Zeng, Linhai Song, and Jimmy SuA growing number of android malware families believed to have a common origin: a study based on binary code.

David Harley

Posted by: David Harley | April 22, 2016

Ransomwhere? Well, less on OS X maybe

Patrick Wardle’s Ransomwhere? takes a generic approach to detecting ransomware in action on a Mac, ‘by detecting untrusted processes that are encrypting your personal files.’

It sounds like a good idea, and I certainly wouldn’t want to dissuade you from taking a look at it. However, John Leyden remarks that ‘it’s the sort of thing that security software firms ought to be doing, but aren’t’, while Wardle himself remarks that ‘Sadly, existing anti-virus solutions fail to detect new samples, leaving most users completely unprotected.’

I happen to think both remarks are misleading, and explain why on ITSecurity UK: Ransomwhere? – detecting new ransomware. But while I haven’t tested it, a generic defence against OS X ransomware sounds like a good idea.

I’ve just noticed some useful commentary from Michael Mimoso for Threat Post: Generic Ransomware Detection Comes to OS X

David Harley

Posted by: David Harley | April 21, 2016

Securing Android

In September 2015, several sources (such as the Wall Street Journal) reported that Google was claiming 1.4 billion active users of Android, and that 1 billion people had used the Play store in a recent 30-day period. I haven’t seen more recent figures, but I’m sure they haven’t been diminishing. While this is all very good news for Google – perhaps less so when we  it’s something to bear in mind when browsing Google’s report Android Security 2015 Year In Review.

While describing Google’s ongoing improvements to Android security, the report also mentions that ‘…successful exploitation of vulnerabilities on Android devices continued to be extremely rare during 2015…’ Which is good to know, but it would be nice to see that quantified. That sentence is placed next to some observations on ‘Potentially Harmful Applications’ (PHAs), but how much malware is focused on OS or application vulnerabilities rather than social engineering? I don’t have information specific to Android that would enable me to answer that authoritatively, but I’d expect it to be fairly small.

Android 6 (Marshmallow) benefits from a wide range of security measures. However, the report indicates that nearly 30% of active Android devices are still on an OS version earlier than 4.4.4 (KitKat), and that suggests well over 400 million devices Google doesn’t support with patches.

Patches are supplied to manufacturers and (since August 5th 2015) to the Android Open Source Project, but that doesn’t, of course, mean that all those updates find their way to all consumers’ devices. However, the report says that device manufacturers are beginning to document their commitment to updating. (There’s also an issue with an undetermined number of devices that don’t use the official licensed OS version.)

Google does pick up on a point recently made by Dino Dai Zovi at Black Hat Asia. According to The Register, he observed that ‘“The ecosystem is such that it makes exploitation more difficult because it needs to be designed for [each device]” which it translates into ‘Over time, we’ve come to recognize that the diversity of devices is a security strength unique to the Android ecosystem…Android’s varied ecosystem (with over 60,000 different device models) provides a naturally occurring defense against simple widespread exploitation…’ There’s some truth in that, of course, but I think its importance can be overstated.

On the topic of PHAs, the percentages are reassuringly small as stated by Google.

On average, less than 0.5% of devices had a PHA installed during 2015 and devices that only installed applications from Google Play averaged less than 0.15%.

I must confess to being slightly confused as to what ‘average’ is being estimated here. In any case, in the context of the huge Android user-base, what Google regards as a small percentage may seen as quite impressive.  At any rate, by my reckoning that makes about 7,000,000 devices with a PHA, and I don’t think that’s trivial. Unfortunately, if there’s a number given for devices that installed only from Google Play, I missed it, so I don’t know what 0.15% is in ‘actual’ figures. But it makes sense, given the resources Google devotes to verifying apps available through Play, that the percentage would be smaller than for devices that install apps from other sources.

Still, in his introductory blog, Andrew Ludwig says:

One important goal of releasing this report is to drive an informed conversation about Android security. We hope to accomplish this by providing more information about what we are doing, and what we see happening in the ecosystem.

There are lots of positives in this report. And that really is a worthy aim.

David Harley


Posted by: David Harley | April 15, 2016

Bruce Schneier – the FBI and the Farook iPhone

You might call this a postscript to a coda.

Schneier refers to the title of his article for the Washington Post as clickbait, Your iPhone just got less secure. Blame the FBI. However, the subtitle summarizes its tone pretty well.

When Johns Hopkins discovered a different security flaw, it notified Apple so the problem could be fixed. The FBI is keeping its newly found breach a secret from everyone.

Schneier himself comments:

The FBI did the right thing by using an existing vulnerability rather than forcing Apple to create a new one, but it should be disclosed to Apple and patched immediately.

David Harley

Posted by: David Harley | April 14, 2016

Farook phone: coda, but no code

Kieren McCarthy for The Register tells us that You won’t believe this, but… nothing useful found on Farook iPhone – FBI not exactly shining with this one.

I suspect that many of us will have no trouble believing it, given that it was Farook’s work phone and that he’d gone to some lengths to destroy his personal phones and digital media.

McCarthy concludes:

The fact that Farook’s phone seemingly holds no useful intelligence is therefore not in itself of importance. It does, however, put another question mark over how honest the FBI has been and continues to be in this case.

David Harley

Posted by: David Harley | April 12, 2016

InstallCore strikes again

Graham Cluley, writing for Intego, reports Mac Users Attacked Again by Fake Adobe Flash Update. Intego identifies the rogue installer as a variant of OSX/InstallCore. The malware installs potentially unwanted software onto compromised systems, and gets past Gatekeeper by signing the malcode with an Apple developer certificate. Graham reports that:

At the time of writing, the compromised Apple developer ID certificate (MDK7FNV856, in the name of one Nikolay Nikolay Lastovka) has not been revoked.


David Harley

Posted by: David Harley | April 6, 2016

iOS passcode bypass vuln: found and fixed

Vulnerability Labs issued an alert regarding ‘A passcode bypass vulnerability … discovered in the official Apple iOS v9.3.1 for iPhone 6S & iPhone Plus models.’ Also published on Full Disclosure.

For the Register, Richard Chirgwin comments: Security bods disclose lock bypass bug in iOS – Let the wild speculation about just how the FBI cracked San Bernardino killer’s phone begin.

This article also refers: New iPhone 6s passcode bypass lets handlers access Photos and Contacts; here’s how to protect yourself. A later 9To5Mac article details how Apple fixed the issue server-side without the need for an iOS update: Apple fixes Siri passcode bypass flaw and Night Shift + Low Power Mode trick.

David Harley

Posted by: David Harley | April 6, 2016

iOS Remote Hot Patching

FireEye discusses the pros and cons of using 3rd-party hot-patching utilities, allowing developers to implement a quick patch to a program with a serious bug or security issue without going through Apple’s painstaking app review process, which can take quite a while. But do such 3rd-party solutions entail their own security issues?

Rollout Or Not: The Benefits And Risks Of Ios Remote Hot Patching

David Harley

Posted by: David Harley | March 29, 2016

FBI: Apple, you’re Dismissed…

In case you hadn’t noticed, the FBI claims it has now accessed encrypted data on the San Bernardino phone, and has apparently asked for the order forcing Apple to cooperate to be vacated. Commentary:

  • Threatpost: FBI BREAKS INTO TERRORIST’S ENCRYPTED IPHONE – Michael Mimoso makes the point that despite the FBI’s claims, ‘Apple was not the only entity that could break the phone and that forcing it to intentionally weaken the cryptography protecting its products put all of its users at risk.’
  • Graham Cluley: The FBI has hacked into the San Bernardino iPhone – John McAfee not required. Like Mimoso, he wonders whether the Israeli company Cellebrite is the third party that apparently provided the FBI with a solution, while assuming that it wasn’t the notorious Mr McAfee. He also wonders whether the FBI will share with Apple the means used to gain access – he suspects not, and he’s probably right. 
  • Jonathan Zdziarski et al suggest a face-saving exercise of some sort.
  • John Gruber offers a link to the request to evacuate – sorry, vacate – and observes that ‘A battle is over, but the war has only just begun.’ I’m afraid he’s right.

David Harley

Posted by: David Harley | March 23, 2016

iMessage 0-day Revisited

The Register revisits the iMessage 0-day – see previous article on iMessage Encryption Issue – and this time takes a less dramatic view of its potential for harm.

What was all that about a scary iMessage flaw? Your three-minute guide – How a powerful hacker could just about intercept and decrypt your texts

Chris Williams points out that:

You have to be a determined and well-resourced attacker to exploit this.

Well, yes… Good summary, though.

David Harley 

Older Posts »



Get every new post delivered to your Inbox.

Join 60 other followers